Global networking of computers has greatly affected business. As the number of computers linked to networks grows, businesses increasingly rely on networks to interact. More and more people use electronic mail, websites, various file transfer methods, and remote office applications, among other types of software, to facilitate business transactions and perform job related tasks.
These applications and uses still rely on early network addressing technologies and flow control protocols to transmit data packets across networks. For example, the Internet Protocol (IP) is an addressing protocol for referencing remote devices on a network. The protocol is implemented to include a packet header that contains bits representing an address of the source, an address of the target, and various other parameters associated with the packet. The Address Resolution Protocol (ARP) is used to reconcile physical addresses on local segments of a network with IP addresses. Other protocols are used for flow control including Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). These protocols may be used to control the flow of packets across a network (e.g., between different network segments) including subdividing and reassembling the packets. TCP also includes methods for verifying the arrival of a packet. Other protocols include Internet Control Message Protocol (ICMP), Internetwork Packet Exchange (IPX), Simple Network Management Protocol (SNMP), NetBios, and ARP, among others. Historically, these protocols were designed for use on a trusted network and as such do not include many security features. To address this problem, newer protocols are designed to include some security measures. However, at present, the global Internet and many local area networks predominantly use older protocols with various vulnerabilities.
Hackers and malfeasants take advantage of the weaknesses in these protocols to disrupt, infiltrate, or destroy networked devices. These attacks include denial-of-services attacks, infiltration attacks, viruses, and worms, among others. Denial-of-services attacks often limit the network activity of a target computer by inundating the target with requests or messages. In one example, an attacking computer or set of computers may send a plethora of low level pings to the target device. If the pings include a non-existent return address, the target machine could send a response message and pause over a timeout period waiting for a response. In attempting to respond to the pings, the target machine effectively denies network access to other applications.
Infiltrating attacks often circumvent password security and gain access to files. Once the attacker has accessed the network, the attacker may steal private information such as credit card or social security numbers. Moreover, the attacker may damage valuable data, install a worm or spying program, or install programs to utilize computational capacity. Hackers use various tools and methodologies to discover vulnerable devices and interact with them. These tools include address scanners, port scanners, worms, and packet formulation programs, among others. For example, a hacker may send reconnaissance packets to a local network segment in search of a computer or device. Once a device is found, the hacker may scan the ports on the device in search of a vulnerable port. Reconnaissance detection activities watch for a pattern of activity where an attacker first obtains knowledge of the internal addresses of the target devices, and then uses those internal addresses as target recipients of a virus or worm.
Viruses infect files and utilize vulnerabilities of programs that interpret the files to propagate. A virus may also function to erase data. Viruses are usually small computer programs that attach themselves to existing computer programs in the target computer.
Viruses can be transmitted over the Internet using some form of likely-to-be-transmitted computer data structure—in many cases, an e-mail message. The virus contains a mechanism that allows the virus program to be activated from the containing data structure—typically when the e-mail is read. Viruses, in comparison to the other two forms of network threat, are passive: to become active, certain actions are performed on the containing data structure to activate the virus program. For example, with a virus program spread via e-mail, the action is opening an e-mail attachment.
Worms are self-replicating programs that infect computers. In some cases, these worms take advantage of the trusting relationships between computers to infiltrate a network and send network data to other internal computers and devices. In contrast to viruses, worms are typically independent of other actions, programs, or data structures. Worm programs are propagated using existing network protocols, such as ICMP or SNMP, and typically do not require either human intervention or any form of external activation, such as opening an email attachment.
Network worms are characterized by their need to propagate. To propagate, network worms contain operating instructions, also referred to as code or code blocks. These operating instructions can take the form of a computer program, designed to execute on the target computer, or commands to Internet services on the target computer using, for example, the Hypertext Transfer Protocol (HTTP) protocol. In general, the worm provides some method for gaining control of the target to accomplish the worm's objectives on the target and to continue to propagate.
FIG. 1 is a diagram showing progression of a rapidly propagating threat. Assume that initial source 10 is the originator of a rapidly propagating threat, whether the threat is internal or external to the target organization's computer infrastructure. For example, initial source 10 may be a node within an internal network environment of the organization that has been compromised and has begun to disseminate worm packets. Alternatively, internal source 10 may be a computer system external to the target organization that infiltrates the target organization's security mechanisms to infect the internal network environment. Threat packets are distributed through the organizational structure in a “spreading activation model.”
In FIG. 1, assume that initial source 10 obtains the addresses of three destinations internal to the target organization's computer infrastructure. Initial source 10 sends packets to the target organization's first-level destinations, which are identified in FIG. 1 as destinations 1.1, 1.2, and 1.3. One of skill in the art will recognize that the number of destination addresses can vary and that three destinations are used as an example only. Furthermore, while unique destinations are shown at each of the first-, second-, and third-level destinations, one of skill will recognize that it is possible for an infected node to send threat packets to an already-infected node, thereby re-infecting the node and causing additional threat packets to be sent.
In FIG. 1, assume that the worm is triggered as soon as a threat packet is received at destinations 1.1, 1.2, and 1.3. As a result of receiving a threat packet, each of destinations 1.1, 1.2, and 1.3 sends another threat packet to one or more internal destinations to which that destination can communicate data. For example, destination 1.1 is shown as sending threat packets to second-level destinations 2.1, 2.2, and 2.3; destination 1.2 is shown as sending threat packets to second-level destinations 2.4 and 2.5; and destination 1.3 is shown as sending packets to second-level destinations 2.6 and 2.7. In turn, destination 2.1 is shown as sending a threat packet to each of third-level destinations 3.1 and 3.2, and destination 2.7 is shown as sending a threat packet to each of third-level destinations 3.14, 3.15, and 3.16. As one of skill in the art will recognize, such a threat has the possibility of infecting an exponential number of destinations very rapidly.
In the example of FIG. 1, each of the destinations is unique. One of skill in the art will recognize that a given destination may be re-infected when that destination receives threat packets from more than one source address. In addition, the same source address may transmit additional threat packets to an already-infected device.
The current state-of-the-art in worm detection uses signatures describing the worm structure. Signatures include combinations of instructions, also referred to as code, that are contained in the data portion of the worm message; these instructions are unique to that particular worm. Signatures are derived manually from an examination of infected network traffic. Typically, the time involved in creating a signature is such that the worm has done extensive damage before the worm defense (containing the signature) is completed.
Similarly, anti-virus software typically relies on signatures to detect viruses. As such, frequent updates are required to maintain a current database of virus signatures. If an undocumented virus enters the network, the anti-virus software will likely fail. Furthermore, most anti-virus software resides on each host machine within the network. If the anti-virus software can be defeated by an attack on one host machine, every instance of the anti-virus software on every host machine can be defeated.
Many network security systems suffer from deficiencies in detecting and preventing attacks on a network. Many other problems and disadvantages of the prior art will become apparent to one skilled in the art of network security systems after comparing such prior art with the present invention as described herein.